You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2012/06/06 23:07:59 UTC

Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier

On Thu, May 24, 2012 at 3:30 PM, William A. Rowe Jr.
<wr...@rowe-clan.net> wrote:
> On 5/24/2012 12:05 PM, Luke Lozier wrote:
>> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due to the issues
>> described in this CVE:
>>
>> Changes with Apache 2.2.23
>>
>>   *) SECURITY: CVE-2012-0883 (cve.mitre.org <http://cve.mitre.org>)
>>      envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
>>      current working directory to be searched for DSOs. [Stefan Fritsch]
>>
>> Is there any idea when 2.2.23 will be released? I'd rather not upgrade to 2.4.2
>
> Modify your installed envvars (and envvars-std) script and apachectl (or equivilant
> script provided by your application vendor) to ensure that this code is changed;
>
>
> @@ -18,6 +18,10 @@
>  #
>  # This file is generated from envvars-std.in
>  #
> -LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH"
> +if test "x$LD_LIBRARY_PATH" != "x" ; then
> +  LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH"
> +else
> +  LD_LIBRARY_PATH="/path/to/httpd/lib"
> +fi
>  export LD_LIBRARY_PATH
>  #
>
> On oddball platforms this may be LIBPATH or SHLIB_PATH instead of LD_LIBRARY_PATH.
> If your platform's apachectl script invokes envvars, you are done.  If it doesn't,
> there may be an insecure LD_LIBRARY_PATH assignment, just use the example above.
>
> Upgrading for this defect is frankly silly, although effective.  There is no planned
> date yet for 2.2.23 although it will come along sometime in the not too distant
> future.

Actually, upgrading for this defect is not effective if the user
simply runs "make install" to update an existing installation.

They must manually edit/recreate envvars if an existing installation
directory is used.  I think that CHANGES entries and security doc
(http://httpd.apache.org/security/vulnerabilities_24.html) need to be
updated to cover this issue.  Alternate thoughts?


>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/